Client/server security by an intermediary executing instructions received from a server and rendering client application instructions

ABSTRACT

In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define a user interface; executing, using a headless browser, the first set of instructions without presenting the user interface; rendering a second set of instructions, which when executed by a client application on a client computer, cause the client computer to present the user interface, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the client computer.

FIELD OF THE DISCLOSURE

The present disclosure generally relates to security techniquesapplicable to client/server systems, and relates more specifically totechniques for improving the security of client computers interactingwith server computers through an intermediary computer.

BACKGROUND

The approaches described in this section are approaches that could bepursued, but not necessarily approaches that have been previouslyconceived or pursued. Therefore, unless otherwise indicated, it shouldnot be assumed that any of the approaches described in this sectionqualify as prior art merely by virtue of their inclusion in thissection.

Browsers are powerful computer program applications that may executeinstructions, received from a web server, to generate complex userinterfaces that are presented to a user through one or more devices,such as a display monitor or speakers. Perpetrators of fraud or theft(“fraudsters”) may inject malicious instructions, which when executed bya browser, may cause, 60368-0015 among other things, sensitive data tobe sent to an unknown party, the client computer to be used for acyber-attack, or malware to be installed on the client computer.

Browsers prevent some malware from being installed on a client computerby limiting functionality. For example, a browser, executing on a clientcomputer, may restrict a JavaScript run-time environment from accessingfiles stored on the client computer. However, fraudsters regularly findnew ways to embed malicious software through a browser. For example, afraudster may embed a key-logger program into an image file. After abrowser downloads an image file referenced in a web page, the browsermay store the image on the client computer. Opening the image file maycause executing the key-logger on the client computer. The key-loggermay record data indicating each keystroke a user makes regardless ofwhich program the user is currently using on the computer. Thekey-logger can send the recorded data back to the fraudster.

SUMMARY

The appended claims may serve as a summary of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 illustrates functional units of a web browser in an exampleembodiment.

FIG. 2 illustrates a computer system comprising a hardened clientapplication, an intermediary headless browser, and a web infrastructurein an example embodiment.

FIG. 3 illustrates a headless browser and a web infrastructure in anexample embodiment.

FIG. 4 illustrates functional units of a headless browser and in-memorydata structures in an example embodiment.

FIG. 5 illustrates functional units of a hardened client application inan example embodiment.

FIG. 6 illustrates a process for intercepting instructions from a servercomputer, rendering new instructions, sending the new instructions to aclient application, receiving a request from the client computer, andresponding, in an example embodiment.

FIG. 7 illustrates a process for executing the intercepted instructionsin an example embodiment.

FIG. 8 illustrates a process for rendering instructions and implementingone or more watchdog features in an example embodiment.

FIG. 9 illustrates a computer system upon which an embodiment may beimplemented.

While each of the drawing figures illustrates a particular embodimentfor purposes of illustrating a clear example, other embodiments mayomit, add to, reorder, and/or modify any of the elements shown in thedrawing figures. For purposes of illustrating clear examples, one ormore figures may be described with reference to one or more otherfigures, but using the particular arrangement illustrated in the one ormore other figures is not required in other embodiments. Furthermore,while the instructions discussed in many example embodiments are HTML,JavaScript, and CSS instructions, in other embodiments, the instructionsintercepted and generated by the headless browser need not be HTML,JavaScript, and/or CSS instructions.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. It will be apparent, however,that the present invention may be practiced without these specificdetails. In other instances, well-known structures and devices are shownin block diagram form in order to avoid unnecessarily obscuring thepresent invention.

Embodiments are described herein according to the following outline:

-   -   1.0 Terms    -   2.0 General Overview    -   3.0 Separating Functional Components in a Browser        -   3.1 Browser Backend        -   3.2 Browser Frontend    -   4.0 Network Topology        -   4.1 Web Infrastructure        -   4.2 Headless Browser            -   4.2.1 Protocol Client            -   4.2.2 Browser Backend            -   4.2.3 Forward Transformer            -   4.2.4 Protocol Server Module            -   4.2.5 Transaction Store            -   4.2.6 Reverse Transformer            -   4.2.7 Configurations        -   4.3 Client Application            -   4.3.1 Security Module    -   5.0 Process Overview        -   5.1 Intercepting Instructions from a Content Server Computer        -   5.2 Rendering New, Different Instructions            -   5.2.1 Validating a Headless Browser            -   5.2.2 Validating a Client Application        -   5.3 Sending and Performing the Received Instructions        -   5.4 Requesting Additional Instructions    -   6.0 An Example Process to Manage a Bank Account through a        Hardened Client Application and a Headless Browser    -   7.0 Mitigating Risk of Infecting a Group's Internal Server        Computer    -   8.0 Implementation Mechanisms—Hardware Overview    -   9.0 Other Aspects of Disclosure

1.0 TERMS

For certain embodiments, some of the terms used herein may have some ofthe following meanings, among others:

A “computer” may be one or more physical computers, virtual computers,and/or computing devices. As an example, a computer may be one or moreserver computers, cloud-based computers, cloud-based cluster ofcomputers, virtual machine instances or virtual machine computingelements such as virtual processors, storage and memory, data centers,storage devices, desktop computers, laptop computers, mobile devices,and/or any other special-purpose computing devices. Any reference to “acomputer” herein may mean one or more computers, unless expressly statedotherwise.

A “browser” may be one or more computer programs or other softwareelements stored in electronic digital memory and running on a computerthat receives instructions from a server computer, performs one or moreof the received instructions, causes to display content, provides a userinterface (“UI”) to receive user inputs, and/or receives and responds toone or more inputs from a user based on or according to the one or moreperformed instructions. A browser and/or components of a browser may beimplemented into an application. For example, a browser and/orcomponents of a browser may be implemented into a mobile application aspart of a web view, and/or web view controller, to send and/or receivedata over HTTP and/or other protocol. A user may use a browser to senddata to a server computer. The server computer may respond withadditional instructions.

A “web browser” may be a browser that receives instructions comprisingHTML, CSS, and/or JavaScript over HTTP or some derivative thereof, suchas HTTPS.

A “headless browser” may be one or more computer programs or softwareelements executed on a computer that receives a set of instructions froma server computer, performs one or more of the received instructions,generates a different set of instructions, and/or sends the differentset of instructions to a client application executed on a separatecomputer. Additionally or alternatively, a headless browser need notcause presenting a UI to a user at the computer that the headlessbrowser is running on according to the received set of instructionsand/or the rendered set of instructions. Additionally or alternatively,a headless browser need not provide a user interface (“UI”) to receiveuser inputs and/or respond to user inputs according to the set ofreceived, executed instructions. Additionally or alternatively, aheadless browser may receive, and/or respond to, data received from aclient application. The data received from the client application may begenerated by the client application in response to a user input.Additionally or alternatively, a headless browser may implement one ormore security mechanisms to verify the integrity of one or morecommunicatively coupled client applications.

A “client application” may be one or more computer programs or softwareelements executed on a computer, which when executed causes the computerto present a UI to a user based on instructions received from a servercomputer and/or headless browser.

A “hardened client application” may be a client application thatpresents a UI to a user based on specialized instructions received froma headless browser. A hardened client application may comprise a browserand/or components of a browser. A hardened client application mayimplement one or more one or more security mechanisms to verify thevalidity of a headless browser.

“Specialized instructions” or “application instructions” may mean one ormore instructions sent from a headless browser to a client application,which the client application is programmed to process.

“Presenting a UI” or “providing a UI” may mean visually displaying orrendering graphical images of objects that are defined in a set ofreceived instructions according to the received set of instructions.Additionally or alternatively, presenting may mean playing audio orother multimedia content to a user according to a received set ofinstructions. Additionally or alternatively, presenting an UI orproviding a UI may mean providing a UI to receive user inputs and/orrespond to user inputs according to a set of received, executedinstructions.

“Sending and/or receiving data over HTTP” may mean sending and/orreceiving data and/or instructions using HyperText Transfer Protocol.Additionally or alternatively, “sending and/or receiving data over HTTP”may mean sending and/or receiving data and/or instructions using asubset of the HTTP, such as secure HTTP (HTTPS). Additionally oralternatively, one or more other protocols may be used, such as SPDYand/or a long-running socket.

A “long-running socket” between may be a socket that remains open foreither a client computer and/or a server computer to send and/or receivedata over an indefinite period of time. For example, after a servercomputer sends instructions to a client computer using a long-runningsocket, the server computer need not close the long-running socket.Additionally or alternatively, after the client computer sends data toserver computer, the client computer need not close the long-runningsocket. Accordingly, using a long-running socket a client computer andserver computer need not open a new socket to each time either sendsand/or receives data from the other. A long-running socket may implementa standard protocol, such as web sockets, or a proprietary protocol.

An “object” may be a data structure that can be identified by anidentifier and/or a relationship with another object. For example, anobject may have a unique identifier that is a string, such as adocument, customer number, username, address, and/or offset.Accordingly, the object may be referenced and/or retrieved using theidentifier. Also for example, if a particular object is the first childobject of a parent object, then the particular object may be referencedand/or retrieved using a pointer to the parent object and thenretrieving a pointer to the first child object. A method of referencingobjects by identifier and/or relationships is called XPath. An objectmay be a particular type of object. For example, one object may be abutton, another object may be an input, or specifically a text field,and another object may be an image.

An “attribute” may be data that identifies and/or describes theappearance, behavior, and/or content of an object. For example, anattribute may be a unique identifier, such as a name. An attribute mayindicate that an object is a type of input, such as a text field, textarea, checkbox, and/or radio button. An attribute may indicate that anobject is a password text field; accordingly, a client applicationrendering the text field object on a monitor need not cause thecharacters that are entered into the field object to be displayed. Anattribute associated with the text field object may be updated toinclude the value entered in the text field. Other attributes may defineor describe dimension, position, color, visibility, value, and any otherfunctional or visual aspect of an object.

A “document object model” (“DOM”) may be a cross-platform andlanguage-independent representation of one or more objects that areinterrelated. For example, a DOM may represent one or more objects in anobject tree and/or hierarchy. An object within the hierarchy may be aparent object, which has one or more child objects. A child object mayalso have one or more child objects.

“Creating, updating, and/or removing an object” may mean creating,updating, and/or removing a data structure in memory that represents anobject, an object's attributes, and/or relationships between an objectand one or more other objects; because these processes directly orindirectly involve changing the state of registers or other structuresin electronic digital memory circuits, the processes necessarily involveusing a computer to transform the state of tangible things.

An “operation” may be any function, method, script, and/or any othercode, which when executed operates on an object.

“Operating on an object” may mean creating, removing, and/or updating anobject. Additionally, “operating on an object” may mean performing oneor more operations that use an object, attribute, and/or relationshipbetween an object and one or more other objects as input.

“Instructions” may mean one or more codes and/or data that define one ormore objects and/or one or more operations. For example, instructionsmay comprise HyperText Markup Language (“HTML”), eXtensible MarkupLanguage (“XML”), cascading style sheets (“CSS”), JavaScript, and/or anyother standard or proprietary languages or codes that define objects,attributes, relationships between objects, and/or operations.

“Performing instructions” or “executing instructions” may mean creatingone or more objects and/or performing one or more operations defined bythe instructions.

“Rendering instructions” may mean generating one or more instructions.The rendered instructions may be based on objects and/or operationsstored in memory, such that when the generated one or more instructionsare executed the same objects and/or same operations are created inmemory.

A first object may be the “same” as a second object if the first objectmaintains the same one or more values, attributes, and/or relationshipsas the second object. The underlying representation of the first objectin memory need not be the same as the underlying representation of thesecond object in memory. For purposes of illustrating a clear example,assume that a first program is allocated a first memory segment; asecond program is allocated a second segment; the first programmaintains a first object in the first memory segment; the second programmaintains a second object in the second memory segment; the first objectcomprises a value: six; the second object comprises a value: six. Inthis situation, the first object and the second object may be the sameobject because the first object maintains the same value as the secondobject, even though the first object and the second object are locatedin different memory segments.

If the value stored in the first memory segment is stored as an 8-bitinteger and the value stored in the second memory segment is stored asan American Standard Code for Information Interchange (“ASCII”) string,then the first object and the second object may be the same objectbecause the first object maintains the same value as the second object,even though the underlying representation of the value in the firstmemory segment is stored differently than the representation of thevalue in the second memory segment.

As another example, assume that the first program is running on a firstcomputer that comprises a 32-bit processor and addresses memory using32-bit addresses; the second program is running on a second computerthat comprises a 64-bit processor and addresses memory using 64-bitaddresses; the first object is a parent object and comprises a pointerto a child object stored in the first memory segment; the second objectis a parent object and comprises a pointer to a child object stored inthe second memory segment. In this situation, the first object and thesecond object may be the same object because the first object maintainsthe same values and relationships as the second object, even though thepointer to the child stored in the first memory segment may be a 32-bitpointer and the pointer in the second memory segment may be a 64-bitpointer.

If the first program stores the data that represents the first objectcontiguously in the first memory segment and the second program storesthe data that represents the second object scattered throughout thesecond memory segment, then the first object and the second object maybe the same object, even though the underlying data structure thatrepresents the first object is stored differently than the underlyingdata structure that represents the second object.

Or, for example, assume the first program is a first HTTP browser; thesecond program is a second, different HTTP browser; the first object mayhave an attribute, “id”; the second object may have an attribute, “id”;the value for the “id” attribute is “MyObject” for both the first objectand the second object is. In this situation, the underlyingrepresentation of the first object in the first browser may bedrastically different than the underlying representation of the secondobject in the second browser. However, the operations that operate onthe two objects may be programmatically identical. For example, the sameJavaScript executed by the first HTTP browser and the second HTTPbrowser may retrieve the first object maintained by the first HTTPbrowser and the second object, respectively:document.getElementById(“MyObject”).

Other factors that may result in a different underlying representationof the same object may include the endianness of a processor, amount ofmemory available, different applications, and/or any other differenthardware and/or software configurations.

“Data” may mean any data and/or instructions in electronic digitalmemory.

An “attribute map” may be a map from one attribute name and/or value toone or more other names and/or values. For example, assume an object hasan attribute, “id”, which defines a unique identifier: “MyObject”. Anattribute map may associate “MyObject” with a different uniqueidentifier, such as “tcejbOyM”. Additionally, an attribute map may beused to map a modified attribute name and/or value to an original nameand/or value. An attribute map may be an operation, hash map, and/or anyother method or associative data structure.

A “DOM map” may be a map from a first DOM to a second, different DOM.For example, a DOM map may be a collection of attribute maps. Eachattribute map in the DOM map may be an attribute map for an attribute ofan object in a first DOM with a modified attribute in a second DOM.Additionally or alternatively, a DOM map may map one hierarchy toanother, different hierarchy, and back again. For example, a DOM map maymodify a relationship between a first object and a second object, suchthat a first object is not related to a second object in a first DOM,and the first object is a parent object to the second object in thesecond DOM.

A “bot” may mean a computer and/or software executed by a computer thatautomates sending and/or receiving data. For example, a bot may be a webscraper, web crawler, automatic web browser, and/or any other tooldesigned to submit and/or receive data from one or more web servers. Abot may comprise complex logic designed to respond to data received fromone or more web servers.

2.0 GENERAL OVERVIEW

In an embodiment, a data processing method comprises intercepting, froma server computer, a first set of instructions that define a userinterface; executing, using a headless browser, the first set ofinstructions without presenting the user interface; rendering a secondset of instructions, which when executed by a client application on aclient computer, cause the client computer to present the userinterface, wherein the second set of instructions are different than thefirst set of instructions; sending the second set of instructions to theclient computer.

In an embodiment, the method comprises executing, using the headlessbrowser, the first set of instructions to produce one or more datastructures in memory; rendering the second set of instructions, whichwhen executed by the client application cause the client computer togenerate the one or more data structures in memory on the clientcomputer.

In an embodiment, the method comprises executing, using the headlessbrowser, the first set of instructions to produce one or more datastructures in memory; updating the one or more data structures based, atleast in part, on a configuration to produce one or more updated datastructures; rendering the second set of instructions, which whenexecuted by the client application cause the client computer to generatethe one or more updated data structures in memory on the clientcomputer.

In an embodiment, the method comprises receiving, at an intermediarycomputer, a first request for a first intermediary credential to verifythat the intermediary computer is a valid intermediary computer; sendingthe first intermediary credential to the client application; receiving,at the intermediary computer, a second request for a second intermediarycredential, wherein the first request is different than the secondrequest; sending the second intermediary credential to the clientapplication, wherein the first intermediary credential is different thanthe second intermediary credential.

3.0 SEPARATING FUNCTIONAL UNITS OF A WEB BROWSER

A web browser may be a tool through which application programs canprovide client computers with content in a dynamic, custom UI. Forexample, in response to receiving a request for data from a web browser,a web server responds with a set of instructions. The instructions maydefine object that include data organized into objects. The instructionsmay also define how the data and/or objects may be presented in a UI.

Unfortunately, attackers may install malicious instructions on a clientcomputer, by exploiting features of a vulnerable web browser. Forexample, an attacker may embed malicious instructions in content hostedon a web server, such as a web page, image, or other media. After avulnerable web browser receives and performs the instructions includedin the content from the web server, then the web browser may installand/or execute the malicious instructions on the client computer runningthe vulnerable web browser. Thus, an attacker may infect a clientcomputer by including instructions in a web page, which when executed bya web browser, causes the web browser to execute the maliciousinstructions on the client computer.

Separating the frontend of a browser (“browser frontend”) from thebackend of a browser (“browser backend”) may protect a client computer.The browser frontend, as discussed in detail herein, may present a UI toa user using a client computer. The browser backend, as discussed indetail herein, processes content received from a web server. Forpurposes of illustrating a clear example, assume a browser backend isexecuted on a server computer, a browser frontend is executed on aclient computer, and an attacker has embedded malicious instructions inone or more JavaScript instructions. If the browser backend performs theJavaScript on the server computer, not the client computer, then theclient computer need not execute the JavaScript with the embeddedmalicious instructions.

A headless browser, which may include a browser backend, may applyadditional transformations which prevent malicious instructions and/orother data from being installed and/or executed on a client computer.For example, a headless browser may use a browser backend to performinstructions received from a web server. In response, the headlessbrowser may generate one or more data structures that correspond to theobjects defined in the received instructions, but need not include theinstructions received from the web server. The headless browser maymodify the data structures. The headless browser may render and send oneor more application instructions to a client application, which whenexecuted by the client application on a client computer recreate thedata structures in memory on the client computer. The clientapplication, which may include a browser frontend, may process theapplication instructions and present a user interface with the browserfrontend based, at least in part, on the in-memory data structures.

FIG. 1 illustrates functional units of a web browser in an exampleembodiment. Browser 100 may be a browser that is executed on a personalcomputer, used to communicate with or otherwise conceptually visit a webserver, and operated by a user using the personal computer. Browser 100includes browser backend 101 and browser frontend 120. Browser 100 iscommunicatively coupled with operating system (“OS”) system applicationprogramming interface (“API”) layer 150 and OS frontend API layer 160.

3.1 Browser Backend

Browser backend 101 comprises protocol module 102, domain name server(“DNS”) module 104, local storage module 106, image parser 108, CSSparser 110, HTML parser 112, JavaScript parser 114, extension executionenvironment 116, document object model (“DOM”) module 118, andJavaScript execution environment 119. Other embodiments may use otherprotocols, modules, and/or parsers.

Protocol module 102, DNS module 104, and local storage module 106 maysend and/or receive data through OS System API layer 150. For example,protocol module 102 may send and/or receive data over any protocol, suchas HTTP, to/from a server computer through OS system API layer 150. Datareceived through protocol module 102 may reference data sources by oneor more domain names. DNS module 104 may resolve the one or more domainnames referenced by interfacing with one or more remote domain nameservers through OS system API layer 150. Local storage module may storeand/or recall data from memory through OS system API layer 150.

Image parser 108, CSS Parser 110, HTML parser 112, and JavaScript parser114 may parse data received through protocol module 102. HTML parser 112may parse HTML data. CSS parser 110 may parse CSS data. JavaScriptparser 114 may parse JavaScript data. Image parser 108 may parse imagedata. Each parser may generate and/or update objects in a DOM maintainedby DOM module 118.

Browser backend 101 may comprise sets of program logic implementing oneor more programmable engines, such as extension execution environment116 and JavaScript execution environment 119. Extensions may be writtenone or more programming languages include JavaScript, Python, Ruby,and/or any other language. Each programmable engine may have access toDOM module 118 and may operate on one or more objects from a DOMmaintained by DOM module 118. For example, JavaScript executionenvironment 119 may execute JavaScript parsed by JavaScript parser 114and in response, create, update, and/or delete one or more objectsmanaged by DOM module 118.

3.2 Browser Frontend

Browser frontend 120 comprises rendering engine 122, interactivitymodule 124, and user interface 126. Each of the components may cause,through OS frontend API layer 160, one or more objects to be presentedto a user using a client computer.

Rendering engine 122 may determine how objects are presented to a user.For example, rendering engine 122 may determine the color, shape,orientation, position, and/or any other visual and/or audio attribute ofan image, text field, button, and/or any other object defined by a setof received instructions. Furthermore, rendering engine 122 may cause abutton to be displayed on a monitor coupled to a client computer throughOS frontend API layer 160.

User interface 126 may determine what may be presented to a user. Forexample, user interface 126 may determine that a “submit” button shouldbe hidden until data has been entered in one or more text fields. Afterdata has been entered in the one or more text fields, user interface 126may notify rendering engine 122 to render the “submit” buttonaccordingly.

Interactivity module 124 may receive one or more inputs through OSFrontend API layer 160. For example, in response to a user pressing abutton on a mouse coupled to a client computer 299, the OS running onthe client computer may send a message to interactivity module 124,through OS frontend API layer 160, to indicate that a user pressed abutton on a mouse. Interactivity module 124 may determine that a userselected a particular button currently presented on a monitor.Interactively module 124 may notify user interface 126 and/or renderingengine 122 to update to update the UI accordingly.

4.0 NETWORK TOPOLOGY

FIG. 2 illustrates a computer system comprising a hardened clientapplication, an intermediary headless browser, and a web infrastructurein an example embodiment. Referring first to FIG. 2, system 200 includesweb infrastructure 205, client computer 299, intermediary computer 230,and data store 240, distributed across a plurality of interconnectednetworks. Intermediary computer 230 may execute one or more headlessbrowsers. For example, in FIG. 2, intermediary computer 230 comprisesand executes headless browser 232.

While each of the components listed above is illustrated as if runningon a separate, remote computer from each other, one or more of thecomponents listed above may be part of and/or executed on the samecomputer. For example, headless browser 232, data store 240, and/or webinfrastructure 205 may be executed on the same computer, local area,and/or wide area network. Additionally or alternatively, intermediarycomputer 230 and/or headless browser 232 may be a proxy server and/orlayer for web infrastructure 205. Additionally or alternatively,intermediary computer 230 and/or headless browser 232 may be in linebetween a router and web infrastructure 205, such that intermediarycomputer 230 and/or headless browser 232 may intercept all network datasent to, and/or sent from, web infrastructure 205 over one or moreprotocols. Additionally or alternatively, headless browser 232 may be asoftware layer between web infrastructure 205, and/or a component of webinfrastructure 205, and hardened client application 295.

4.1 Web Infrastructure

Referring again to FIG. 2, web infrastructure 205 may be one or moreserver computers that receive requests for data from users through oneor more browsers, such browser 100 and/or headless browser 232. Webinfrastructure 205 may respond by sending data to the browser that sendsthe request. As illustrated in FIG. 2 the data sent from webinfrastructure 205 may include instructions: HTML, JavaScript, and CSS210.

FIG. 3 illustrates a web infrastructure in an example embodiment. Theweb infrastructure 205 may be described with reference to original webserver computer 302 and third party web server computers 306 in FIG. 3,but using the particular arrangement illustrated in FIG. 3 is notrequired in other embodiments.

Original web server computer 302 may be a server computer that receivesrequests for data and responds with data. For example, original webserver computer 302 may be an HTTP-based web server that receives HTTPrequests and responds with data comprising HTML, CSS, and/or JavaScriptinstructions. Additionally or alternatively, original web servercomputer 302 may respond with data that references data on other servercomputers, such as third party web server computers 306.

Third party web server computers 306 may store additional datareferenced by instructions sent from original web server computer 302.For example, data from original web server computer 302 may include areference to a JavaScript file stored on third party web servercomputers 306. Accordingly, a headless browser and/or a browser backend,such as a browser backend 101 and/or headless browser 232, may requestthe referenced JavaScript file from third party web server computers306. Also for example, data from original web server computer 302 mayinclude a reference to an image stored on third party web servercomputers 306. Accordingly, a headless browser and/or a browser backend,such as browser backend 101 and/or headless browser 232, may request thereferenced image from third party web server computers 306.

4.2 Headless Browser

Returning now to FIG. 2, headless browser 232 may be an intermediarythat may intercept instructions sent from web infrastructure 205,execute one or more of the intercepted instructions, generate newspecialized instructions, and send the specialized instructions to aclient application. For example, headless browser 232 may interceptHTML, JavaScript, and CSS 210, generate application instructions 290,and send application instructions 290 to hardened client application295. Application instructions 290 may comprise proprietary and/orstandard instructions. If application instructions 290 include HTML,JavaScript, and/or CSS instructions, then application instructions 290may include different HTML, JavaScript, and/or CSS instructions thanHTML, JavaScript, and CSS 210. Additionally, headless browser 232 mayintercept a request from hardened client application 295, generate a newand/or modified request, and send the new and/or modified request to webinfrastructure 205.

In FIG. 2, headless browser 232 may be an HTTP or SPDY intermediary thatintercepts, executes, and/or processes HTML, JavaScript, and CSSinstructions. Additionally or alternatively, headless browser 232 mayintercept requests for data and/or instructions from a clientapplication, generate an HTTP request, and send the generated HTTPrequest to one or more HTTP and/or SPDY-based web servers. However,headless browser 232 may be an intermediary for any other standardand/or proprietary protocol. Furthermore, each of the componentsdiscussed, which headless browser 232 is comprised of, may be configuredto perform any of the processes and/or methods discussed herein for anystandard and/or proprietary protocol.

Intermediary computer 230 may be a server computer that one or moredomain name servers or other elements of the domain name system (“DNS”)identify in DNS records as a destination network address associated withone or more internet domain names. Accordingly, intermediary computer230 and/or headless browser 232 may receive requests sent to the one ormore domains from hardened client application 195. Based on using DNS toresolve the domain name in a request to a network address, intermediarycomputer 230 and/or headless browser 232 may forward the request, or amodified request, to a server computer in web infrastructure 205, suchas original web server computer 302.

In FIG. 2, headless browser 232 is programmed to receive instructionsfrom, and send requests to, a particular server computer or a particularset of server computers, such as a set of one or more web servers thatare owned and/or managed by a single entity, like a particular bank.However, in an embodiment, headless browser 232 may be programmed toreceive instructions from, and send requests to, more than oneparticular server computer and/or particular set of computers.

In FIG. 2, headless browser 232 is programmed to send applicationinstructions to, and receive requests from, a particular type of clientapplication: hardened client application 295. However, in an embodiment,headless browser 232 may be programmed to send application instructionsto, receive requests from, and/or open sockets with, one or more typesof client applications.

FIG. 3 illustrates, among other things, a more detailed view of headlessbrowser 232, in an example embodiment. The example headless browser 232may be described with reference to several components illustrated inFIG. 3 and discussed in detail below, but using the particulararrangement illustrated in FIG. 3 is not required in other embodiments.For example, headless browser 232 may comprise protocol client module332, browser backend 334, forward transformer 336, protocol servermodule 338, transaction module 340, and reverse transformer 342. In anembodiment, each of the functional units of intermediary computer 230and/or headless browser 232 may be implemented using any of thetechniques further described herein in connection with FIG. 9; forexample, the intermediary computer 230 may comprise a general-purposecomputer configured with one or more stored programs which when executedcause performing the functions described herein for the intermediarycomputer, or a special-purpose computer with digital logic that isconfigured to execute the functions, or digital logic that is used inother computing devices.

4.2.1 Protocol Client

Protocol client module 332 may intercept data over any standard orproprietary protocol. For example, protocol client module 332 mayintercept data over HTTP. Accordingly, protocol client module 332 may becommunicatively coupled with web infrastructure 205, original web servercomputer 302, and third party web server computers 306.

4.2.2 Browser Backend

Browser backend 334 may be an HTTP-based headless browser similar tobrowser backend 101. Additionally or alternatively, browser backend 334may be based on one or more other standard and/or proprietary protocols.

Browser backend 334 may perform instructions intercepted by protocolclient module 332, which cause browser backend 334 to generate one ormore objects. After performing the instructions, browser backend 334 maynotify forward transformer 336 to begin rendering instructions based onthe data structures created by browser backend 334 that are currently inmemory. Accordingly, browser backend 334 and forward transformer 336 maybe communicatively coupled.

Browser backend 334 may make requests for additional data. For example,if instructions received from Protocol client module 332 referenceadditional instructions stored on a third party web server, browserbackend 334 may request the additional instructions through protocolclient module 332. Accordingly, browser backend 334 and protocol clientmodule 332 are communicatively coupled.

4.2.3 Forward Transformer

Forward transformer 336 may render a new set of instructions based onthe one or more objects and/or operations in memory. Additionally oralternatively, forward transformer 336 may operate on the objectscreated by browser backend 334 and generate one or more attribute mapsand/or DOM maps. Forward transformer 336 may store the one or moreattribute maps and/or DOM maps in data store 240. Accordingly forwardtransformer 336 may be communicatively coupled to data store 240.

Forward transformer 336 may operate on objects and/or renderinstructions based on one or more configurations specified inconfiguration 242. Accordingly, forward transformer 336 may becommunicatively coupled to configuration 242.

Forward transformer 336 may send the rendered instructions to protocolserver module 338. Accordingly, forward transformer 336 may becommunicatively coupled to protocol server module 338.

4.2.4 Protocol Server Module

Protocol server module 338 may receive the instructions generated byforward transformer 336 and send the generated instructions to hardenedclient application 295. Additionally or alternatively, protocol servermodule 338 may intercept requests from hardened client application 295and forward the requests to transaction module 340. Accordingly,protocol server module 338 may be communicatively coupled to hardenedclient application 295, forward transformer 336, and transaction module340.

4.2.5 Transaction Store

Transaction module 340 may receive requests intercepted by protocolserver module 338 from hardened client application 295. Transactionmodule 340 may retrieve one or more attribute maps and/or DOM maps,based on data in the request, and forward the request with the retrievedone or more attribute maps and/or DOM maps to reverse transformer 342.Accordingly, transaction module 340 may be communicatively coupled withreverse transformer 342 and data store 240.

4.2.6 Reverse Transformer

Reverse transformer 342 may translate requests intercepted by protocolserver module 338, which are based on instructions generated by forwardtransformer 336, into requests that would have been generated byhardened client application 295 had hardened client application 295 beena web browser and had received the original instructions sent fromoriginal web server computer 302. Reverse transformer 342 may translaterequests based on the one or more attribute maps and/or DOM mapsretrieved by transaction module 340. Reverse transformer 342 may sendthe translated request to original web server computer 302 throughprotocol client module 332. Accordingly, reverse transformer 342 may becommunicatively coupled with protocol client module 332.

4.2.7 Configurations

Configuration 242 may be a database, a configuration file, and/or anyother system that stores configurations: settings, preferences, and/orprotocols. Configuration 242 may store more than one configuration forone or more web servers in web infrastructure 205 and/or one or moreheadless browsers.

4.3 Client Application

Returning to FIG. 2, in an embodiment, hardened client application 295may be a client computer program application executed on client computer299. FIG. 5 illustrates functional units in a hardened clientapplication in an example embodiment. In FIG. 5, hardened clientapplication 295 comprises specialized protocol module 502, specializedparser 504, security module 506, DOM module 518, specialized executionenvironment 520, rendering engine 522, interactivity module 524, anduser interface module 528. Hardened client application 295, and/or oneor more of its components, may be communicatively coupled with anintermediary, such as intermediary computer 230 and/or headless browser232, through OS system APIs 550.

Specialized protocol module 502 may send requests to, and/or receiveapplication instructions from, an intermediary, such as headless browser232. Specialized protocol module 502 may send and/or receive data over astandard protocol, such as HTTP. Additionally or alternatively,specialized protocol module 502 may receive instructions using aproprietary protocol, such as a proprietary long running socketconnection.

Specialized parser 504 may process application instructions received byspecialized protocol module 502. The application instructions may be oneor more standard and/or proprietary instructions. Applicationinstructions may be a limited set of instructions that cause hardenedclient application 295 to perform one or more methods that have beentested or otherwise deemed secure and/or non-harmful by the author(s)and/or distributor(s) of hardened client application 295.

Specialized execution environment 520 may have access to DOM module 518and may operate on one or more objects from a DOM maintained by DOMmodule 518. For example, specialized execution environment 520 mayexecute the application instructions parsed by specialized parser 504and in response, create, update, and/or delete one or more objectsmanaged by DOM module 518.

Rendering engine 522, interactivity module 524, and/or user interface528 may performed the methods and/or features discussed regardingrendering engine 122, interactivity module 124, and user interface 126,respectively. Rendering engine 522, interactivity module 524, and/oruser interface 528 may cause a UI to be presented to a client usingclient computer 299 through OS fronted APIs 560.

In an embodiment, a client application may be isolated by the underlyingOS on the client computer. For example, the data stored on clientcomputer 299 may be encrypted by the hardened client application 295,such that no other application may read the data stored on the device byhardened client application 295. Additionally or alternatively, theoperation system may limit the locations on client computer 299 wherethe hardened client application 295 may store data. In an embodiment,the OS need not allow the hardened client application 295 to storeand/or install any data and/or instruction in persistent memory, and/ora file system used by one or more other applications installed on clientcomputer 299.

4.3.1 Security Module

Security module 506 may respond to requests from a headless browser toverify that hardened client application 295 is a secure and validhardened client application and may perform a security validation of theapplication. Additionally or alternatively, security module 506 may senda request to a headless browser, such as headless browser 232, to verifythat headless browser 232 is a secure and valid headless browser.Security module 506 may be programmed to expect a particular correctresponse, which may change over time, from a secure and valid headlessbrowser. If the response from the headless browser is incorrect, thensecurity module 506 may cause the hardened client application 295 todisconnect from the headless browser. Additionally or alternatively, ifthe response from the headless browser is incorrect, then securitymodule 506 may cause hardened client application 295 to disregard and/ornot perform application instructions received from the headless browser.Additionally or alternatively, security module 506 may be a watchdogprocess that limits the functionality and/or operations performed byhardened client application 295 to reinforce security.

Security module 506 may be a watchdog process that monitors otherprocesses and/or applications executed by client computer 299 as theprocesses are instantiated and executed, ending monitoring when theprocesses terminate. For example, security module 506 may detect if an“outside process” (a process and/or application other than hardenedclient application 295) is instantiated or accesses, and/or attempts toaccess, memory allocated to hardened client application 295 on clientcomputer 299. If so, security module 506 may terminate hardened clientapplication 295 and/or the outside process. Additionally oralternatively, security module 506 may prevent hardened clientapplication 295 from accessing memory outside of the memory allocated tohardened client application 295 on client computer 299.

Security module 506 may encrypt and/or decrypt data stored and/or readby hardened client application 295 in volatile or non-volatile memory onclient computer 299. Additionally or alternatively, security module 506may encrypt and/or decrypt data and/or instructions sent betweenhardened client application 295 and headless browser 232.

Security module 506 may store data on intermediary computer 230 and/ordata store 240. For example, instead of storing a user's credentialgranting access to a bank account on client computer 299, securitymodule 506 may upload the user's credential to headless browser 232.Headless browser 232 and/or one of its modules may store the user'scredential in data store 240. Additionally or alternatively, securitymodule 506 may upload the user's credential to data store 240, withoutusing headless browser 232.

Security module 506 may prevent hardened client application 295 frominstalling and/or storing executable content on client computer 299. Forexample, executable code may be embedded in an image file, which wheninstalled and/or used, causes a key logger to be executed by clientcomputer 299. The key logger may log a user's input, such as keystrokes, and report what a user typed to a fraudster. In this example,security module 506 may prevent hardened client application 295 fromstoring, opening, and/or using an image file and/or any other contentthat may be, or may potentially be, malicious and/or insecure.Additionally or alternatively, security module 506 may also simulatekeyboard signal to inject false data in a running key logger.

Security module 506 may implement one or more polymorphic methods and/orprotocols that prevent a bot, automated script, and/or process fromreading data caused to be presented by rendering engine 522,interactivity module 524, and/or user interface 528. Security module 506may implement one or more polymorphic methods and/or protocols thatprevent an automated script and/or process from inputting data intorendering engine 522, interactivity module 524, and/or user interface528.

Security module 506 may perform one or more integrity checks to ensurethat all the data intended to be sent and/or received between hardenedclient application 295 and headless browser 232 is actually received bythe intended recipient. For example, security module 506 may perform achecksum on a set of application instructions sent by headless browser232. Security module 506 may compare the checksum with a checksumembedded in the received application instructions by headless browser232. Additionally or alternatively, security module 506 may embed achecksum in data and/or instructions set to headless browser 232.Headless browser 232 may compute a checksum and compare the computedchecksum with the checksum embedded in the received data and/orinstructions. If data and/or instructions are received by headlessbrowser 232 and/or hardened client application 295 that include checksumthat does not match a computed checksum, then headless browser 232and/or hardened client application 295 may ignore the data and/orinstructions.

5.0 PROCESS OVERVIEW

In an embodiment, a data processing method may be configured tointercept instructions from a server computer that are directed toward aclient computer, execute the intercepted instructions within the servercomputer without providing the original instructions to the clientcomputer, generate different instructions, and/or send the differentinstructions to a client application to present a UI based on theintercepted instructions. In an embodiment, a data processing method maybe configured to receive requests from a client application, cache datafrom the request, modify the request, send the modified request to a webserver, receive data from the web server in response to the modifiedrequest, and/or send a response to the client application. Variousembodiments may use standard web protocols, such as HTTP, and/orstandard web-based instructions, such as HTML, CSS, and/or JavaScript.Additionally or alternatively, other standard and/or proprietaryprotocols may be used. Additionally or alternatively, other standardand/or proprietary instructions may be used.

5.1 Intercepting Instructions from a Content Server Computer

FIG. 6 illustrates a process for intercepting instructions from a servercomputer, rendering new instructions, sending the new instructions to aclient application, receiving a request from the client computer, andresponding, in an example embodiment. In step 610, a headless browserintercepts a first set of instructions from a server computer to aclient application on a remote client computer. For example, protocolclient module 332 may receive instructions from original web servercomputer 302. The instructions may comprise HTML, CSS, and/orJavaScript.

In step 620, the headless browser executes the intercepted instructions.For example, protocol client module 332 may send the HTML, CSS, and/orJavaScript to browser backend 334. Browser backend 334 may execute theinstructions.

FIG. 7 illustrates a process for executing the intercepted instructionsin an example embodiment. In step 710, a headless browser generates oneor more objects in computer memory based on the interceptedinstructions. For example, browser backend 334 may generate a DOMcontaining objects defined in the instructions in memory on intermediarycomputer 230. FIG. 4 illustrates objects and operations stored in memoryby browser backend 334, in an example embodiment. HTML parser 412 mayparse the HTML received by browser backend 334. Based on the parsedHTML, DOM module 418 may create DOM 450 and objects in DOM 450: object452 and object 454. Furthermore, based on the parsed HTML, DOM module418 may define object 452 to be the parent object of object 454 in DOM450. Additionally, one or more objects in DOM 450 may comprise one ormore attributes based on the parsed HTML. Furthermore, image parser 408,CSS parser 410, and/or JavaScript parser 414 may generate state info470, which is a collection of data and/or operations that referenceand/or are associated with objects in DOM 450.

Returning now to FIG. 7, in step 720, the headless browser performs oneor more operations which operate on the objects. For example, JavaScriptexecution environment 419 may execute one or more operations in stateinfo 470, which operate on the one or more objects in DOM 450.Additionally or alternatively, JavaScript execution environment 419 mayexecute one or more JavaScript instructions in received HTML,JavaScript, and CSS 210. Additionally or alternatively, extensionexecution environment 416 or JavaScript execution environment 420 mayperform one or more other operations that update DOM 450 and/or one ormore objects in DOM 450.

5.2 Rendering New, Different Instructions

Returning now to FIG. 6, in step 630, the headless browser renders asecond set of specialized instructions for the client application. Asdiscussed earlier, the originally received instructions may, but neednot be, HTML, CSS, and/or JavaScript instructions. Furthermore, therendered instructions may, but need not be, HTML, CSS, and/or JavaScriptinstructions. For purposes of illustrating a clear example, assume thatthe originally intercepted instructions in step 610 comprise HTML, CSS,and JavaScript instructions: HTML, JavaScript, and CSS 210. Furthermore,assume that forward transformer 336 is configured to generateproprietary application instructions that hardened client application295 is programmed to parse and perform, such as application instructions290.

In an embodiment, application instructions 290 may be limited to methodsand/or functions that have been deemed to be safe by hardened clientapplication 295. For example, hardened client application 295 maysupport one or more instructions to display a button at a particularlocation on a display. However, hardened client application 295 need notsupport one or more instructions that install and/or persistently storea image, pdf, flash file, data, and/or executable code on a clientcomputer.

In an embodiment, application instructions 290 do not include theheaders in the originally intercepted instructions. For example, forwardtransformer 336 may render application instructions 290 without the HTTPheaders included in HTML, JavaScript, and CSS 210. Additionally oralternatively, the headers in application instructions 290 may bedifferent than the headers in the intercepted instructions: HTML,JavaScript, and CSS 210.

In an embodiment, the UI may be partially predetermined by hardenedclient application 295. The rendered application instructions maycomprise data objects encoded in one or more standard and/or proprietarydata formats that populate a UI. For example, application instructions290 may include a string for a button label. Also for example,application instructions 290 may include data that indicates thedimensions and/or placement of the button. Application instructions 290need not contain executable instructions.

The rendered application instructions need not comprise the sameprogramming language(s), scripting language(s), and/or data interchangeformat(s) as the original instructions intercepted in step 610. Forexample, the rendered instructions may comprise one or more otherstandard languages, formats, and/or codes that are not included in theoriginally intercepted instructions: Dynamic HTML, XML, eXtensibleStylesheet Language, VBScript, Lua, YAML Ain′t Markup Language (“YAML”),JavaScript Object Notation (“JSON”), shell script, Java, Ruby, Python,and/or Lisp. Also for example, rendered application instructions maycomprise one or more proprietary, bit-packed, and/or binary encodedinstructions and/or data formats.

FIG. 8 illustrates a process for rendering new, different instructionsand implementing one or more watchdog features in an example embodiment.In step 810, the headless browser renders a second set of instructionsbased on the current state of the in-memory objects and operations. Forexample, forward transformer 336 may render application instructions290, which when executed, generate the same objects and/or operations ascurrently existing in in-memory data structures 400.

In an embodiment, before forward transformer 336 renders applicationinstructions 290, forward transformer 336 may modify one or morein-memory objects and/or operations based on one or more polymorphicprotocols. Additionally or alternatively, after forward transformer 336renders application instructions 290, forward transformer 336 may modifythe rendered application instructions 290. Accordingly, the content,and/or format of the content, from the headless browser to a clientapplication may vary over time. For example, according to a polymorphicprotocol, forward transformer 336 may modify one or more of theidentifiers of the objects and/or operations. Also for example, one ormore supervisor operations may be added which intercept calls tooriginally defined objects and/or operations. The one or more supervisoroperations may allow the caller method to operate on the referenceobject and/or operation based on one or more factors, such as whichmethod and/or operation called an originally defined object and/oroperation, or whether access to the called object and/or operation isallowed.

Forward transformer 336 may use configuration 242 to determine whichpolymorphic method(s) and/or protocol(s) to use. Accordingly,configuration 242 may define one or more polymorphic protocols.Additionally or alternatively, configuration 242 may define whichobjects, operations, and/or instructions may be modified. Additionallyor alternatively, configuration 242 may define which objects,operations, and/or instructions need not be modified.

Headless browser 232 may select a configuration in configuration 242based on any number of factors. For example, headless browser 232 mayselect a configuration in configuration 242 based on a domain associatedwith the server computer that the instructions were intercepted from.Additionally or alternatively, headless browser 232 may select aconfiguration in configuration 242 based on a random variable seeded bytime. Additionally or alternatively, headless browser 232 may select aconfiguration in configuration 242 based on attributes and/or propertiesof hardened client application 295. For example, headless browser 232may select a configuration based on what types of instructions hardenedclient application 295 is capable of interpreting and/or processing.

5.2.1 Validating a Headless Browser

In step 820, the headless browser may include an intermediary credentialto validate the headless browser. An intermediary credential may includea particular code and/or other data to validate the authenticity of theheadless browser. For example, forward transformer 336 may include anintermediary credential in application instructions 290. After hardenedclient application 295 receives the intermediary credential, securitymodule 506 may verify that the intermediary credential is valid. Inresponse, hardened client application 295 may execute client applicationinstructions 290; otherwise, hardened client application 295 may discardthe received application instructions.

The intermediary credential may be dynamic. For example, a dynamiccredential may be based on time and/or any other factor(s). A clientapplication may be programmed to expect and/or validate the correctintermediary credential from headless browser 232. If the intermediarycredential is dynamic, then a fraudster may have a harder time spoofingthe intermediary credential, and thus a harder time spoofing a headlessbrowser.

A headless browser may send an intermediary credential to a clientapplication in other cases. For example, a headless browser may send anintermediary credential to a client application when the clientapplication and the headless browser are opening a long-running socket.Also for example, in response to a request from a first clientapplication, a headless browser may respond with an intermediarycredential.

5.2.2 Validating a Client Application

In step 830, the headless browser may include one or more instructionsto validate the client application. For example, forward transformer 336may include one or more instructions, which when processed by a clientapplication, may cause security module 506 to return a clientapplication credential to validate that hardened client application 295is a valid, uncompromised client application. The one or moreinstructions may be based on an account, username, password, internetprotocol address, clock, and/or any other factor(s) or input. Ifhardened client application 295 fails to provide a valid clientapplication credential, then headless browser 232 may terminate theconnection and/or ignore requests from hardened client application 295.

The client application credential may be dynamic and/or changeperiodically. For example, the one or more instructions to validate theclient application may be based on a clock time, causing a clientapplication credential to change over time. Additionally oralternatively, security module 506 may be programmed to give one of apreset number of client application credentials. Headless browser 232may be programmed to expect the correct client application credentialfrom hardened client application 295. The client application credentialmay be encrypted using one or more encryptions schemes. If the clientapplication credential is dynamic, then a fraudster may have harder timespoofing a client application credential, and thus a comprising and/orspoofing a client application.

Headless browser 232 may request to validate the client application fromtime to time, without sending a corresponding set of applicationinstructions. For example, forward transformer 336 may send a request tovalidate hardened client application 295 when hardened clientapplication 295 and the headless browser 232 are opening a long-runningsocket.

After headless browser 232 receives a client application credential,headless browser 232 or a module, such as protocol server module 338,transaction module 340, and/or reverse transformer 342, may verify thatthe received client application credential is valid. If the clientapplication credential is valid, then headless browser 232 may continueto interact with hardened client application 295. If not, then headlessbrowser 232 may close any connection to hardened client application 295until hardened client application 295 provides a valid applicationcredential.

5.3 Sending and Performing Application Instructions

Returning to FIG. 6, in step 640, the headless browser may send thesecond set of specialized instructions to the client application over asecure socket. For example, headless browser 232 may open a long-runningencrypted socket between headless browser 232 and hardened clientapplication 295. In an embodiment, hardened client application 295 mayopen the secure socket with headless browser 232 before headless browser232 intercepts the first set of instructions from a server computer tothe client computer in step 610. Headless browser 232 may send therendered instructions from step 630 to hardened client application 295.

A client application may perform the one or more received applicationinstructions and present a UI accordingly. For example, hardened clientapplication 295 may perform application instructions 290, which causehardened client application 295 to generate the same in-memory datastructures that headless browser 232 generated and/or modified in step620 and/or step 630. Hardened client application 295 may generate and/orpopulate a UI based on application instructions 290 and/or the generatedin-memory data structures. Security module 506 may validate headlessbrowser 232 based on the intermediary credential included in thereceived instructions. Security module 506 may also perform the one ormore instructions to generate a client application credential. Securitymodule 506 may send the client application credential to headlessbrowser 232.

In an embodiment, a headless browser may send application instructionsover time based on validation of the headless browser by the clientapplication and validation of the client application by the headlessbrowser. For example, headless browser 232 may send hardened clientapplication 295 a portion of the application instructions. The portionof application instructions may include an intermediary credential andapplication instructions, which when processed by hardened clientapplication 295, may cause hardened client application 295 to produce aclient application credential and send the client application credentialto headless browser 232. After hardened client application 295 receivesthe portion of application instructions and validates headless browser232, then hardened client application may produce the client applicationcredential and send the client application credential to headlessbrowser 232. After headless browser 232 receives and validates theclient application credential, then headless browser 232 may send theremainder of the application instructions generated in step 620 and/orstep 630 to hardened client application 295.

5.4 Requesting Additional Instructions

In step 650, the headless browser may receive a request from the clientapplication over the open secure socket. For example, hardened clientapplication 295 may receive input indicating that a user selected aparticular button that is a link to additional content that hardenedclient application 295 does not have. In response, hardened clientapplication 295 may submit a request to headless browser 232 for theadditional content.

In step 660, the headless browser caches data based on the request. Forexample, protocol server module 338 may receive the request and pass therequest to transaction module 340. The request may include usercredentials to login and control a bank account. Transaction module 340may store the credentials in data store 240. Additionally oralternatively, protocol server module 338 may store the credentials indata store 240.

In step 670, the headless browser determines whether data is needed froma remote server computer. For example, if the request received in step650 is for data stored in data store 240, then control may proceed tostep 690; otherwise control may proceed to step 680.

In step 680, the headless browser requests and receives data from aserver computer. For example, transaction module 340 may forward therequest received in step 650 to reverse transformer 342. Reversetransformer 342 may generate a new request based on the request receivedin step 650. For example, reverse transformer 342 may generate a newrequest by modifying the received request based on the changes made byforward transformer 336, including any attribute maps and/or DOM mapsstored in data store 240. After the new request is generated by reversetransformer 342, reverse transformer 342 sends the request throughprotocol client module 332. The new request may be sent to original webserver computer 302 and/or any other server that stores the requesteddata and/or instructions. Protocol client module 332 may receive therequested data from original web server computer 302.

In step 690, the headless browser sends a response to hardened clientapplication. For example, if transaction module 340 determines that thedata requested by hardened client application 295 is stored in datastore 240 in step 670, then transaction module 340 may collect therequested data from the data store 240 and send the data to forwardtransformer 336. Forward transformer 336 may render applicationinstructions based on the collected data and send the applicationinstructions through protocol server module 338 to hardened clientapplication 295. Additionally or alternatively, if additional dataand/or instructions were received from a server computer in step 680,then browser backend 334 and/or forward transformer 336 may renderapplication instructions based on the received data and/or instructions.Forward transformer 336 may send the application instructions tohardened client application 295 through protocol server module 338.

6.0 AN EXAMPLE PROCESS TO MANAGE A BANK ACCOUNT THROUGH A HARDENEDCLIENT APPLICATION AND A HEADLESS BROWSER

The computer systems, logic and processes described herein may beapplied in many tangible, concrete contexts with the result and benefitof improving machine efficiency by preventing the unnecessary executionof non-secure and/or unexpected machine operations. As an example, thetechniques herein may be used to manage a bank account through ahardened client application and a headless browser according to anembodiment. For purposes of illustrating a clear example, this exampleprocess may be described with reference to one or more figures, butusing the particular arrangement illustrated in the one or more otherfigures is not required in other embodiments. While this processdescribes managing a bank account for purposes of illustrating a clearexample, other embodiments may omit, add to, reorder, and/or modify anyof the elements discussed.

An account holder at a particular bank, using a web browser, such asbrowser 100, running on client computer 299, may request account datafrom the particular bank. In response, the particular bank may sendHTML, CSS, and/or JavaScript instructions, which when executed by thebrowser may present the account holder with a link to open, download,and/or install a hardened client application. An option to continueusing the browser may also be presented. The account holder may selectthe link, and the browser may download and/or install the hardenedclient application 295. Additionally or alternatively, the accountholder may download hardened client application 295 through anotherservice, such as an application repository that stores applicationscompatible with client computer 299. For example, hardened clientapplication 295 may be a mobile application that a mobile device maydownload and/or install from a mobile application store. The accountholder may cause client computer 299 to begin executing hardened clientapplication 295.

Hardened client application 295 may open a long-running secure socketwith headless browser 232. Hardened client application 295 and headlessbrowser 232 may exchange credentials, such that hardened clientapplication 295 may validate headless browser 232 and headless browser232 may validate hardened client application 295. If the long-runningsecure socket is closed, then hardened client application 295 and/orheadless browser 232 may open a new long-running secure socket betweeneach other. Hardened client application 295 and headless browser 232 mayvalidate each other again. Additionally or alternatively, hardenedclient application 295 and headless browser 232 may validate each otherperiodically to make sure neither one has been corrupted and/orcompromised. Additionally or alternatively, the client applicationcredential may be a particular hard coded credential provided by thebank, such that only a hardened client application provided by the bankmay use headless browser 232 to access a bank account held at the bank.Furthermore, headless browser 232 may submit the particular hard codedcredential to the bank to indicate that it is handling a request on thebehalf of a hardened client application provided by the bank.

The account holder may enter bank account credentials, such as a username and password, into fields that hardened client application 295 maycause to be displayed. Hardened client application 295 may send headlessbrowser 232 the bank account credentials.

Headless browser 232 may generate a request to send to the bank's webserver(s): web infrastructure 205. Headless browser 232 may store theaccount credentials in data store 240.

In response to sending the account credentials to the banks' webserver(s), headless browser 232 may receive, from web infrastructure205, HTML, CSS, and/or JavaScript instructions. The instructions mayinclude a security token that identifies the account holder, data thatdescribes the state of the account, and/or instructions that define a UIto present at least a portion of the data. Headless browser 232 maystore the security token in data store 240.

Headless browser 232 may execute the instructions, and renderapplication instructions that hardened client application 295 isprogrammed to perform. Headless browser 232 may send the applicationinstructions to hardened client application 295. Headless browser 232may include an intermediary credential that hardened client application295 may use to validate headless browser 232. Headless browser 232 mayinclude one or more instructions to validate hardened client application295.

Hardened client application 295 may receive the applicationinstructions. In response, hardened client application 295 may executethe application instructions and present a UI accordingly. The UI maypresent the account holder with data describing the state of the bankaccount. Additionally or alternatively, hardened client application 295may validate headless browser 232 using the included intermediarycredential. Hardened client application 295 may perform the one or moreinstructions to validate hardened client application 295. Hardenedclient application 295 may produce a client application credentialaccordingly. Hardened client application 295 may send the clientapplication credential to headless browser 232. Headless browser 232 mayvalidate hardened client application 295 accordingly.

Hardened client application 295 may receive data from client computer299 indicating that the account holder selected a button in the UIrequesting a list of recent transactions. In response, hardened clientapplication 295 may send a request to headless browser 232 for the listof recent transactions through the long-running socket. Hardened clientapplication 295 need not include the security token received from webinfrastructure 205, because in this example, headless browser 232 storedthe security token in data store 240.

Headless browser 232 may receive the request for the list of recenttransactions. If headless browser 232 already had the list of recenttransactions stored in data store 240, then headless browser 232 maygenerate and respond with application instructions that include the listof recent transactions from data store 240. However, for this example,assume that data store 240 does not include the list of recenttransactions for the account holder's account. Thus, headless browser232 may send a request for the list of recent transactions to webinfrastructure 205. Headless browser 232 may identify the particularaccount by including the security token received from web infrastructure205, which was stored in data store 240.

Headless browser 232 may receive HTML, CSS, and/or JavaScriptinstructions describing the list of recent transactions. Headlessbrowser 232 may execute the instructions and produce a new set ofapplication instructions. Headless browser 232 may send the newapplication instructions to hardened client application 295.

Hardened client application 295 may present the list of recenttransactions to the account holder through client computer 299. The listof recent transactions may be presented in a UI according to thereceived, new application instructions.

In the above example, an account holder uses a hardened clientapplication to securely control a corresponding bank account with acredential that identified the account holder. Additionally oralternatively, one or more users may use a hardened client applicationto browse one or more web servers anonymously and/or securely throughthe same headless browser. In all cases, a benefit of these techniquesis that machine efficiency is improved because the computers involved ina transaction or process are not required to execute unnecessaryinstructions or operations that would otherwise occur as a result of theinfluence of malware or fraudsters. In some cases, transactions orprocesses may execute more rapidly because such unnecessary operationsare avoided.

7.0 MITIGATING RISK OF INFECTING A GROUP'S INTERNAL SERVER COMPUTER

Groups, such as companies, that allow members, such as employees, to usetheir own personal client computers on a company network, may riskinternal server computers being infected with malicious programsinstalled on personal client computers. A group may reduce the risk byrequiring members using personal devices to access an internal servercomputer through a hardened client application and a headless browserrunning on a local intermediary computer.

The internal server computer may be configured to accept connectionsbetween headless browsers running on local intermediary computers, butneed not accept other connections. For example, if an employee wantsaccess to a company's local server computer, then the employee mayinstall a hardened client application. The employee may interface withthe company's local server computer through the installed hardenedclient application and a headless browser executed on a localintermediary.

The hardened client application may be distributed by the groupinternally. The hardened client application may be a proprietary clientapplication developed by and/or for the group and its members. Thehardened client application and/or the internal intermediary computermay be configured to perform operations that the group has deemed to besafe. The headless browser may be a proprietary headless browserdeveloped by and/or for the group and its members. The headless browsermay be configured to send data, requests, and/or instructions to thegroup's internal server computer that the group has deemed to be safe.Thus, an exclusive group, such as a company, may mitigate risk by using,internally, the techniques discussed herein.

8.0 IMPLEMENTATION MECHANISMS Hardware Overview

According to one embodiment, the techniques described herein areimplemented by one or more special-purpose computing devices. Thespecial-purpose computing devices may be hard-wired to perform thetechniques, or may include digital electronic devices such as one ormore application-specific integrated circuits (ASICs) or fieldprogrammable gate arrays (FPGAs) that are persistently programmed toperform the techniques, or may include one or more general purposehardware processors programmed to perform the techniques pursuant toprogram instructions in firmware, memory, other storage, or acombination. Such special-purpose computing devices may also combinecustom hard-wired logic, ASICs, or FPGAs with custom programming toaccomplish the techniques. The special-purpose computing devices may bedesktop computer systems, portable computer systems, handheld devices,networking devices or any other device that incorporates hard-wiredand/or program logic to implement the techniques.

For example, FIG. 9 is a block diagram that illustrates a computersystem 900 upon which an embodiment of the invention may be implemented.Computer system 900 includes a bus 902 or other communication mechanismfor communicating information, and a hardware processor 904 coupled withbus 902 for processing information. Hardware processor 904 may be, forexample, a general purpose microprocessor.

Computer system 900 also includes a main memory 906, such as a randomaccess memory (RAM) or other dynamic storage device, coupled to bus 902for storing information and instructions to be executed by processor904. Main memory 906 also may be used for storing temporary variables orother intermediate information during execution of instructions to beexecuted by processor 904. Such instructions, when stored innon-transitory storage media accessible to processor 904, rendercomputer system 900 into a special-purpose machine that is customized toperform the operations specified in the instructions.

Computer system 900 further includes a read only memory (ROM) 908 orother static storage device coupled to bus 902 for storing staticinformation and instructions for processor 904. A storage device 910,such as a magnetic disk or optical disk, is provided and coupled to bus902 for storing information and instructions.

Computer system 900 may be coupled via bus 902 to a display 912, such asa cathode ray tube (CRT), for displaying information to a computer user.An input device 914, including alphanumeric and other keys, is coupledto bus 902 for communicating information and command selections toprocessor 904. Another type of user input device is cursor control 916,such as a mouse, a trackball, or cursor direction keys for communicatingdirection information and command selections to processor 904 and forcontrolling cursor movement on display 912. This input device typicallyhas two degrees of freedom in two axes, a first axis (e.g., x) and asecond axis (e.g., y), that allows the device to specify positions in aplane.

Computer system 900 may implement the techniques described herein usingcustomized hard-wired logic, one or more ASICs or FPGAs, firmware and/orprogram logic which in combination with the computer system causes orprograms computer system 900 to be a special-purpose machine. Accordingto one embodiment, the techniques herein are performed by computersystem 900 in response to processor 904 executing one or more sequencesof one or more instructions contained in main memory 906. Suchinstructions may be read into main memory 906 from another storagemedium, such as storage device 910. Execution of the sequences ofinstructions contained in main memory 906 causes processor 904 toperform the process steps described herein. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions.

The term “storage media” as used herein refers to any non-transitorymedia that store data and/or instructions that cause a machine tooperation in a specific fashion. Such storage media may comprisenon-volatile media and/or volatile media. Non-volatile media includes,for example, optical or magnetic disks, such as storage device 910.Volatile media includes dynamic memory, such as main memory 906. Commonforms of storage media include, for example, a floppy disk, a flexibledisk, hard disk, solid state drive, magnetic tape, or any other magneticdata storage medium, a CD-ROM, any other optical data storage medium,any physical medium with patterns of holes, a RAM, a PROM, and EPROM, aFLASH-EPROM, NVRAM, any other memory chip or cartridge.

Storage media is distinct from but may be used in conjunction withtransmission media. Transmission media participates in transferringinformation between storage media. For example, transmission mediaincludes coaxial cables, copper wire and fiber optics, including thewires that comprise bus 902. Transmission media can also take the formof acoustic or light waves, such as those generated during radio-waveand infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 904 for execution. For example,the instructions may initially be carried on a magnetic disk or solidstate drive of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 900 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detector canreceive the data carried in the infra-red signal and appropriatecircuitry can place the data on bus 902. Bus 902 carries the data tomain memory 906, from which processor 904 retrieves and executes theinstructions. The instructions received by main memory 906 mayoptionally be stored on storage device 910 either before or afterexecution by processor 904.

Computer system 900 also includes a communication interface 918 coupledto bus 902. Communication interface 918 provides a two-way datacommunication coupling to a network link 920 that is connected to alocal network 922. For example, communication interface 918 may be anintegrated services digital network (ISDN) card, cable modem, satellitemodem, or a modem to provide a data communication connection to acorresponding type of telephone line. As another example, communicationinterface 918 may be a local area network (LAN) card to provide a datacommunication connection to a compatible LAN. Wireless links may also beimplemented. In any such implementation, communication interface 918sends and receives electrical, electromagnetic or optical signals thatcarry digital data streams representing various types of information.

Network link 920 typically provides data communication through one ormore networks to other data devices. For example, network link 920 mayprovide a connection through local network 922 to a host computer 924 orto data equipment operated by an Internet Service Provider (ISP) 926.ISP 926 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the“Internet” 928. Local network 922 and Internet 928 both use electrical,electromagnetic or optical signals that carry digital data streams. Thesignals through the various networks and the signals on network link 920and through communication interface 918, which carry the digital data toand from computer system 900, are example forms of transmission media.

Computer system 900 can send messages and receive data, includingprogram code, through the network(s), network link 920 and communicationinterface 918. In the Internet example, a server 930 might transmit arequested code for an application program through Internet 928, ISP 926,local network 922 and communication interface 918.

The received code may be executed by processor 904 as it is received,and/or stored in storage device 910, or other non-volatile storage forlater execution.

9.0 OTHER ASPECTS OF DISCLOSURE

Using the networked computer arrangements, intermediary computer, and/orprocessing methods described herein, security in client-server dataprocessing may be significantly increased. In particular, the use ofbrowser programs becomes significantly more secure. Forward transformingand reverse transforming techniques herein effectively permitobfuscating data field and/or container identifiers and DOM modificationfor data that is financial, personal, or otherwise sensitive so thatattackers cannot determine which fields and/or containers in a web pageinclude the sensitive data. Consequently, one or more various attacks,such as a denial of service (“DOS”) attack, credential stuffing, fakeaccount creation, ratings or results manipulation, man in the browserattacks, reserving rival goods or services, scanning forvulnerabilities, and/or exploitation of vulnerabilities, are frustratedbecause all fields and/or containers appear to the attacker to begibberish, or at least cannot be identified as indicating credit carddata, bank account numbers, personally identifying information,confidential data, sensitive data, proprietary data, and/or other data.

In the foregoing specification, embodiments of the invention have beendescribed with reference to numerous specific details that may vary fromimplementation to implementation. The specification and drawings are,accordingly, to be regarded in an illustrative rather than a restrictivesense. The sole and exclusive indicator of the scope of the invention,and what is intended by the applicants to be the scope of the invention,is the literal and equivalent scope of the set of claims that issue fromthis application, in the specific form in which such claims issue,including any subsequent correction.

What is claimed is:
 1. A method comprising: intercepting, from a server computer, a first set of instructions that define a user interface; executing, using a headless browser, the first set of instructions without presenting the user interface; rendering a second set of instructions, which when executed by a client application on a client computer, cause the client computer to present the user interface, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the client computer; wherein the method is performed by one or more computing devices.
 2. The method of claim 1 further comprising: executing, using the headless browser, the first set of instructions to produce one or more data structures in memory; rendering the second set of instructions, which when executed by the client application cause the client computer to generate the one or more data structures in memory on the client computer.
 3. The method of claim 1 further comprising: executing, using the headless browser, the first set of instructions to produce one or more data structures in memory; updating the one or more data structures based, at least in part, on a configuration to produce one or more updated data structures; rendering the second set of instructions, which when executed by the client application cause the client computer to generate the one or more updated data structures in memory on the client computer.
 4. The method of claim 1 further comprising: rendering the second set of instructions, which when executed by the client application causes the client application to validate the client application and send a dynamic client credential; receiving the dynamic client credential from the client application; verifying the dynamic client credential is correct.
 5. The method of claim 1 further comprising: receiving, at an intermediary computer, a first request for a first intermediary credential to verify that the intermediary computer is a valid intermediary computer; sending the first intermediary credential to the client application; receiving, at the intermediary computer, a second request for a second intermediary credential, wherein the first request is different than the second request; sending the second intermediary credential to the client application, wherein the first intermediary credential is different than the second intermediary credential.
 6. The method of claim 1 further comprising: rendering the second set of instructions, which when executed by the client application causes the client application to auto-generate data interspersed into keyboard data.
 7. The method of claim 1 further comprising: intercepting, from the server computer, the first set of instructions that included one or more headers; stripping out the one or more headers; rendering the second set of instructions, wherein the second set of instructions do not include the one or more headers.
 8. The method of claim 1 further comprising: receiving, from a second web server, a set of supplementary instructions, which the first set of instructions reference and which define a portion of the user interface; executing, by the headless browser, the set of supplementary instructions without presenting the portion of the user interface; rendering the second set of instructions, which when executed by the client application on the client computer, cause the client computer to present the portion of the user interface to a user, wherein the second set of instructions are different than the set of supplementary instructions.
 9. The method of claim 1 further comprising: intercepting, from the client application, a set of user data; caching the set of user data; receiving, from the client application, a request to be sent to the server computer; generating a modified request based on the request and the set of user data; sending the modified request to the server computer.
 10. The method of claim 1 further comprising: sending the second set of instructions to the client application through a persistent secure socket connection; receiving, from the client application, a request, which is not based on a URL, to perform a process and return a result, though the persistent secure socket connection; performing the process; sending the result to the client application, through the persistent secure socket connection.
 11. A computer comprising: a processor; a memory; a browser backend module configured to: intercept, from a server computer, a first set of instructions that define a user interface; execute the first set of instructions without presenting the user interface; a forward transformer module configured to: render a second set of instructions, which when executed by a client application on a client computer, cause the client computer to present the user interface, wherein the second set of instructions are different than the first set of instructions; send the second set of instructions to the client computer.
 12. The computer of claim 11, wherein: the browser backend module is further configured to execute the first set of instructions to produce one or more data structures in memory; the forward transformer module is further configured to render the second set of instructions, which when executed by the client application cause the client computer to generate the one or more data structures in memory on the client computer.
 13. The computer of claim 11, wherein: the browser backend module is further configured to execute the first set of instructions to produce one or more data structures in memory; the forward transformer module is further configured to: update the one or more data structures based, at least in part, on a configuration to produce one or more updated data structures; render the second set of instructions, which when executed by the client application cause the client computer to generate the one or more updated data structures in memory on the client computer.
 14. The computer of claim 11, wherein: the forward transformer module is further configured to render the second set of instructions, which when executed by the client application causes the client application to validate the client application and send a dynamic client credential; the computer further comprises a transaction module configured to: receive the dynamic client credential from the client application; verify the dynamic client credential is correct.
 15. The computer of claim 11, wherein: the computer comprises a transaction module configured to: receive a first request for a first intermediary credential to verify that the computer is a valid intermediary computer; receive a second request for a second intermediary credential, wherein the first request is different than the second request; the forward transformer module is further configured to: send the first intermediary credential to the client application; send the second intermediary credential to the client application, wherein the first intermediary credential is different than the second intermediary credential.
 16. The computer of claim 11, wherein the forward transformer module is further configured to render the second set of instructions, which when executed by the client application causes the client application to auto-generate data interspersed into keyboard data.
 17. The computer of claim 11, wherein: the browser backend module is further configured to: intercept, from the server computer, the first set of instructions that included one or more headers; strip out the one or more headers; the forward transformer module is further configured to render the second set of instructions, wherein the second set of instructions do not include the one or more headers.
 18. The computer of claim 11, wherein: the browser backend module is further configured to: receive, from a second web server, a set of supplementary instructions, which the first set of instructions reference and which define a portion of the user interface; execute the set of supplementary instructions without presenting the portion of the user interface; the forward transformer module is further configured to render the second set of instructions, which when executed by the client application on the client computer, cause the client computer to present the portion of the user interface to a user, wherein the second set of instructions are different than the set of supplementary instructions.
 19. The computer of claim 11 comprising: a transaction module configured to: intercept, from the client application, a set of user data; cache the set of user data; receive, from the client application, a request to be sent to the server computer; a reverse transformer module configured to: generate a modified request based on the request and the set of user data; send the modified request to the server computer.
 20. The computer of claim 11, wherein: the forward transformer module is further configured to send the second set of instructions to the client application through a persistent secure socket connection; the computer comprises a transaction module configured to: receive, from the client application, a request, which is not based on a URL, to perform a process and return a result, though the persistent secure socket connection; perform the process; send the result to the client application, through the persistent secure socket connection. 